HIPAA and Mobile Device Safeguards
The HIPAA Security Rule has established security standards for the confidentiality, integrity, and availability of electronic protected health information used nationally.
Any covered entity transmitting electronic protected health information must observe the requirements to protect PHI especially when they are using mobile devices. HIPAA and mobile devices is a common issue all covered entities should consider. Safeguards must be used as required by the Privacy Rule to accomplish this task.
We share with you some of the best standards in use today that meet these requirements.
Use a password or other authentication when using a mobile device
The first key safeguard is authentication. This is the process of verifying the identity of a user, process, or device. Mobile devices today may also require passwords, personal identification numbers (PINs), or passcodes to gain access to it. In addition to this safeguard, two factor authentication is becoming increasingly common to protect the security of mobile devices.
Masking the passcode field on a device will prevent people from seeing the password, PIN, or passcode. Most mobile devices can also be configured to turn off after a period of inactivity to prevent an unauthorized user from accessing it.
Keep your security software up to date
Regularly updating software is a best practice for safeguarding your mobile device or computer. This will give you the best protection that is available. Most software updates are meant to eliminate weaknesses in the security of your device. This will help prevent unauthorized access to health information on your mobile device.
Install and enable encryption
Encryption is a tool that serves a purpose in the protection of health information stored on and sent by mobile devices. In simple turns it converts information into secret code that only an owner of the key decryption can view the data. Many mobile devices today have built-in encryption capabilities. In addition, an encryption app may be purchased and installed in the device. Encryption is easily used in laptops, flash drives and mobile telephones.
Install and enable a firewall
Another technical safeguard to protect a mobile device is by the use of a personal firewall. It can help by preventing unauthorized connections. A firewall is designed to block incoming and outgoing connection attempts based on criteria you establish.
Install and activate remote wiping and/or remote disabling
Another helpful safeguard is remote wiping. This allows a covered entity to erase data on a mobile device remotely. Data stored on a lost or stolen device can be erased permanently by the use of this technique.
Remote disabling is another helpful tool as it allows the user to lock or completely erase data stored on a mobile device if it is lost or stolen. The process can be reversed if the mobile device is recovered.
Install and enable security software
Anti-virus software should also be installed to protect against malicious applications such as viruses, spyware, and malware-based attacks. Today it is mandatory to have this on all devices that handle PHI
Disable and do not install or use file sharing applications
File sharing can be problematic when PHI is concerned. It is software or a system that allows internet users to share computer files. Unfortunately, file sharing can also enable unauthorized users to access your laptop without your knowledge. By disabling or not using file sharing applications, you reduce a known risk to data on your mobile device. If PHI is involved, it is best not to use file sharing unless special precautions are used.
Research mobile applications (apps) before downloading
Mobile apps are abundant today and help with numerous tasks. Unfortunately, there is the danger they may do something you do not intend them to do and consequently place PHI at risk. Before you acquire an app for a device that holds PHI verify it will perform only the functions you want. Before you download an app inquire as to the reliability of the app and the vendor.
Use adequate security to send or receive health information over public Wi-Fi networks
Public Wi-Fi networks are problematic regarding protected health information. It is easy for unauthorized individuals to intercept information without your knowledge. It is best not to use public Wi-Fi networks to send any protected health information unless you use encrypted connections.
You can also consider using a virtual private network (VPN) by creating a private network from a public internet connection. A VPN establishes a secure and encrypted connection to provide greater privacy than even a secured Wi-Fi hotspot.
Delete all stored health information before discarding or reusing the mobile device
Any time you discard or reuse a mobile device you must consider if it contains protected health information. To be safe you should make a concerted attempt to remove all data from a device before discarding or reusing it. There are guidelines available from NIST on the proper techniques for removing all data.
Maintain physical control
Mobile devices have the benefit of being small and easily portable. Unfortunately, associated with these characteristics is that they are easily lost or stolen. If so, this places any enclosed protected health information at great risk for disclosure. It is in your best interest to limit access or theft of your device by carefully securing it all the time.
It is the duty of every covered entity and business associate who handles protected health information to abide by the HIPAA Privacy Rule. These HIPAA compliance guidelines will help you to continue to use your mobile devices effectively while protecting all protected health information entrusted to you and remaining HIPAA compliant.
For more information on Safeguards.
References:
Author:
Al Lopez is the Vice President of Operations for HIPAA Associates for the last ten years. Dr. Lopez has passed board certification in internal medicine, pulmonary, and anesthesia and holds a degree as a medical coding specialist. He has served as a Compliance Director and Privacy Officer for over ten years. In addition, Dr. Lopez is certified in Healthcare Compliance and has held various leadership roles within the hospital staff and private practice. His main interest is in HIPAA training.